Security Fixes

CRITICAL: An attacker could bypass SAML authentication and log in as any other user.

Packages have been updated to the latest security versions.

Bug Fixes

Files uploaded to a repository through the web interface were saved in the wrong location if the target directory contained multi-byte characters.

For teams synchronized to the same LDAP group, group members were inefficiently cached, leading to slower Team Synchronization job runs.

When configured with more than one group, there was an extra comma in the list of restricted LDAP groups in the site admin user search page.

The babeld, codeload, and ruby processes could crash.

Changes

We now only save a single core file per process, so multiple crashes of the same process use less disk space.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.

Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.

On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.

Custom firewall rules aren't maintained during an upgrade.

Enqueued background jobs are sometimes not purged when a repository is deleted.

svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.